med spas and HIPAA

Your med spa is required to be HIPAA complaint and HIPAA violations can be costly. Your social media presence is a great way to keep in touch and communicate with your clients. But before you respond to a comment about how great and wonderful a customers med spa experience was, you should be aware of potential  consequences when you do respond. These harmful consequences relate to HIPAA.

Although HIPAA mainly deals with health care providers, insurance and hospitals, the law requires the protection of the confidentiality and security of  any patient information – and that includes your med spa’s client’s since you are providing medical services. Your business is valuable, and so is their privacy.

So, when you respond back to those very kind words your clients left on your Facebook page, Twitter, Instagram or blog, keep these very important things in mind:

They know you and your staff – but you don’t know what they had done.

Your clients might post about their wonderful experience at your med spa and mention staff members by name. That’s great, and perfectly legal. You, on the other hand, should not return the favor and confirm their statement. Confirming their statement is an acknowledgement of their status as a patient, and that is a big no-no with HIPAA. If you want to comment, saying “thank you for your kind words” should be good enough. You never disclose what procedures the client may have had (but your clients may).  You responded back kindly without acknowledging your relationship to them. But, saying “it was great having you as a patient for [procedure]” is revealing private, sensitive information – which violates HIPAA.

Do not provide any medical advice online.

There are sites meant for medical professionals and services to provide answers to questions in an open forum online. However, when your med spa starts to dole out medical advice in it, that could lead to bad things. One way this could become a HIPAA violation is if the person on the forum happens to be a current client, and during the discussion your medical staff inadvertently refers to the person as being a client (“Oh yes, I remember you now. You came in for [x] last month!”).

Play it safe and don’t give out medical advice online. If your medical staff feel the need to provide medical advice to someone on their online forum, have them schedule an appointment and give it privately.


Maintaining patient confidentiality can be a difficult job sometimes, but you can make it easier by reminding your online community that social media, your blog and the internet in general is a public place and that everything is visible to everyone. With that in mind, your patients will at least be aware of the perils of posting information they may not want other people to know. They’ll be more cautious with their posts, and you’ll have an easier time managing the content and avoiding a HIPAA investigation.

Pictures are worth a thousand words – and a few thousand dollars in HIPAA violations.

Before and after pictures are a great way for your med spa to display their expertise. But before you post those pictures, make sure you have the patient’s written consent allowing your med spa to use those pictures. Anonymity cannot be guaranteed by blacking-out the eyes or just showing the body. Do it right and ask the client for permission to use the pictures.

Remember, nothing is private online. Utilize social media to promote your med spa business, but make sure to protect your clients’ privacy at all times.